From owner-freebsd-security@FreeBSD.ORG Sat Sep 13 06:04:38 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6421C106564A for ; Sat, 13 Sep 2008 06:04:38 +0000 (UTC) (envelope-from khachatur.shahinyan@arca.am) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.171]) by mx1.freebsd.org (Postfix) with ESMTP id 062B68FC19 for ; Sat, 13 Sep 2008 06:04:32 +0000 (UTC) (envelope-from khachatur.shahinyan@arca.am) Received: by ug-out-1314.google.com with SMTP id m2so176273uge.39 for ; Fri, 12 Sep 2008 23:04:31 -0700 (PDT) Received: by 10.66.218.15 with SMTP id q15mr288245ugg.77.1221284612041; Fri, 12 Sep 2008 22:43:32 -0700 (PDT) Received: from ?192.168.1.80? ( [91.199.226.101]) by mx.google.com with ESMTPS id n34sm59300ugc.12.2008.09.12.22.43.30 (version=SSLv3 cipher=RC4-MD5); Fri, 12 Sep 2008 22:43:31 -0700 (PDT) Message-ID: <48CB52AE.6070501@arca.am> Date: Sat, 13 Sep 2008 10:42:06 +0500 From: Khachatur Shahinyan User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sat, 13 Sep 2008 06:06:23 +0000 Subject: Freebsd auto locking users X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Sep 2008 06:04:38 -0000 Dear FreeBsd gurus, I have a problem concerning users password and authentication policies. The goal is 1)make freebsd to lock users after 3 unsuccessful login attempts, 2)force users to change their passwords every 90 days I've done such changes in Linux distros, with various PAM modules.But in Freebsd it seems that i need to use login.conf file. Here I made necessary changes in that file: >>>>>> default:\ ............. ............. ............. :login-retries=1:\ :passwordtime=90d:\ :warnpassword=7d:\ :warnexpire=7d:\ >>>>>>> Then I made the cap_mkdb /etc/login.conf , and everything went normal, no error messages, but after adding a test user I see no changes in the master.passwd file. The fields which are reserved for password aging parameters are 0:0 test:$1$F9yf.PuK$xqIsGEgK3MexpPZ4UBav0.:1001:1001::0:0:User &:/home/test:/bin/sh And the locking point does not work either, e.g. no matter how many times I input wrong password, I'm still able to login. :( I cannot understand what I'm doing wrong, and what should be done solve this issues? I'm not an expert Freebsd administration, so any comments and suggestions are welcome. Thank You Khachatur Shahinyan